Many Canadian small businesses say they don’t allocate any portion of their annual operating budget to cyber security, according to an Insurance Bureau of Canada online survey this summer.
Asked what percentage of their firm’s annual operating budget is spent on cybersecurity, almost half (47 per cent) of respondents said they spent nothing. That’s worse than in 2019, the last time a similar survey was done, when one-third of respondents said their operating budget had nothing allocated to cybersecurity,
An operating budget would include money for IT staff salaries and fixed costs, like regular licencing or subscription payments to software vendors, insurance, training costs, as well as data breach costs such as fines and lawyers. In addition, small IT departments are unlikely to have a dedicated cybersecurity staff: all members of IT are expected to handle the normal duties of information technology, including cybersecurity.
However, an operating budget doesn’t include spending on the purchase of hardware and software. That’s in a company’s capital budget – which the survey didn’t ask about.
The survey did show that most respondent firms are spending on cybersecurity. Asked what type of defences against cyberattacks their company has currently implemented, 78 per cent said they have at least one of a list that included anti-virus, data backup, firewall, encryption, controlled use of foreign applications and training.
On the other hand, when asked if their business has implemented defences against a possible cyberattack, 48 per cent said no.
The online survey of 300 small businesses (defined as firms with between one and 499 employees) was done between July 28th and August 5th. Because it was done online there is no estimate of the margin of error.
The survey was released as part of the annual Cybersecurity Awareness Month.
Asked if it was a major oversight that respondents weren’t asked about their capital spending, Jordan Brennan, the bureau’s vice-president of policy, didn’t answer directly. Instead he said it was “surprising” that, given the rising number of cyberattacks, respondents in this year’s survey said they spend nothing on cybersecurity in their operating budget.
When it was pointed out organizations could be investing more on cybersecurity in capital spending than in past years, Brennan simply repeated that the survey shows many respondents say they dedicate nothing to cybersecurity in their operating budgets.
Among other findings
–21 per cent of respondents said their firm had suffered a cyber attack in the past;
–of those who were victimized, 58 per cent it cost them less than $100,000, while 41 per cent said it cost them at least that;
–66 per cent of respondents felt confident in their business’s ability to withstand a data breach or website shut down. That included 86 per cent of those with 100 to 499 employees. Those that currently have cyber insurance (83 per cent) were more optimistic than those who didn’t (60 per cent);
–overall 24 per cent of respondents said their firm is insured in some way against a cyber attack.
Brennan recommended that business owners follow these steps to help secure their data:
- enforce multi-factor authentication on login and network access;
- focus on email security: enable attachment scanning, use external sender banners and train staff (or develop protocols) on spotting and containing malicious phishing attempts; and
- run regular data backups and make sure the accounts used to run backups have unique credentials